tags:

views:

196

answers:

1
+1  Q: 

[Windows 7] Which user-mode functions to hook to monitor/intercept file access?

Hi,

Which user-mode functions in Windows 7 can I hook to monitor/intercept file access?

I've tried ntdll.dll's NtOpenFile(), NtCreateFile(), but some of these aren't files - they're also pipes and mutexes. Same goes for kernel32.dll's CreateFile(). Is there a function that is called only to access files/directories. If it helps, I'm trying to only hook explorer.exe to prevent access to firefox.exe. I'm also using EasyHook, if any of you have familiarity with it.

I think I've also read somewhere that, using the parameters from NtOpenFile/NtCreateFile, you can distinguish between file access/pipe access. But that's still a bit hazy. Is there a nice comfortable function to hook?

EDIT: Please keep in mind I do need to intercept file access to prevent access to some files. EasyHook is a great solution, since it allows me to perform complicated hooking in a few easy steps in C# managed code.

Thanks in advance.

A: 

There is no "file open function" that only opens files. Furthermore, hooking is only supported using Detours. Finally, you must ensure that all computers running this have .NET 4.0 installed, so they can run in-proc SxS.

A far superior solution is to change the file permissions on firefox.exe. This is a solution that requires no licensing of Detours, and is supported.

Stephen Cleary  2010-07-24 23:42:25
Maybe changing file permissions will work, but it's definitely not as elegant and I enjoy the challenge. What do you mean by hooking is only supported by Detours? Detours is discontinued; EasyHook is a superior library.
Rudi  2010-07-25 00:26:05
What do you mean that Detours is discontinued? [It still listed on Microsoft's IP licensing page.](http://www.microsoft.com/about/legal/en/us/IntellectualProperty/IPLicensing/Programs/Detours.aspx). Most major OS upgrades include more protection against hooking programs (which are usually spyware or viruses). Microsoft won't hesitate to break EasyHook-based programs for security reasons, but they support Detours.
Stephen Cleary  2010-07-25 01:05:24
File permissions are the most elegant solution to the problem. Think about it: you wish to restrict access to a specific file. Um... file permissions are the most elegant solution. There is definitely a challenge to hooking (especially kernel code on x64), but a "challenge" is a horrible excuse to write horrible code.
Stephen Cleary  2010-07-25 01:07:36
And if they simply overwrote the file permissions again? Am I going to be polling the permission masks and overwriting them again with all Deny periodically?
Rudi  2010-07-25 19:16:38
Either the user owns the computer or not. If the user owns the computer, then it is their perrogative to change the file permissions, and no program should take that right away. If the user does not own the computer, then they should not be in the `Administrators` group and they simply don't have the permission to change the permissions on the file.
Stephen Cleary  2010-07-25 19:31:19

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?